This study investigates the effectiveness of multifactor authentication (MFA) in protecting commercial accounts from unauthorized access, with an additional focus on accounts with known credential leaks. We employ the benchmark-multiplier method, coupled with manual account review, to evaluate the security performance of various MFA methods in a large dataset of Microsoft Azure Active Directory users exhibiting suspicious activity. Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials. We further demonstrate that dedicated MFA applications, such as Microsoft Authenticator, outperform SMS-based authentication, though both methods provide significantly enhanced security compared to not using MFA. Based on these results, we strongly advocate for the default implementation of MFA in commercial accounts to increase security and mitigate unauthorized access risks.

翻译：本研究调查了多因素认证（MFA）在保护商业账户免受未授权访问方面的有效性，并特别关注已知凭据泄露的账户。我们采用基准-乘数方法，结合人工账户审查，在一个包含可疑活动的微软Azure Active Directory用户大规模数据集中评估了多种MFA方法的安全性能。研究结果显示，实施MFA提供了出色的保护，在调查期间，超过99.99%启用MFA的账户保持安全。此外，MFA将整体人群中的账户入侵风险降低了99.22%，在凭据泄露情况下降低了98.56%。我们进一步证明，专用MFA应用程序（如Microsoft Authenticator）的性能优于基于短信的认证，尽管这两种方法相比不使用MFA都能显著增强安全性。基于这些结果，我们强烈建议在商业账户中默认实施MFA，以提高安全性并降低未授权访问风险。